Does traffic from Azure Firewall to Service Tag like Azure Monitor stays on backbone

Question

Hi,

I have hosted some containers in Azure which are sending telemetry to Application Insight. We have a firewall in the connectivity hub. All spoke traffic (0.0.0.0/0) is routed to the firewall. So the outbound traffic from container to Application insights will also get routed to firewall. I have two questions as under:

1.) It is guaranteed that the traffic from Azure Firewall to Azure resources like Application Insights remain on Azure Backbone?

2.) Is it better to route all the outbound traffic in spokes for Azure services to Firewall or should it be allowed to directly go the the services from spoke subnet itself without routing to Firewall (using User defined routes). If the traffic is routed to firewall will it provide any security benefit?

Thanks!

Answer 1

Hi @RajivBansal-2486,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

Answering to your 1st question: It is guaranteed that the traffic from Azure Firewall to Azure resources like Application Insights remain on Azure Backbone?

• Yes, it is generally safe to assume that traffic from Azure Firewall to other Azure resources, such as Application Insights, will remain within the Azure backbone network. Microsoft has designed its network to ensure optimal performance and security within its ecosystem.

But there are some exceptions:

• While traffic is likely to stay within the Azure backbone, it might route through different regions to reach the Application Insights endpoint.
• Some Azure services might have specific routing policies or dependencies that could influence the path.
• Complex network setups with custom routing or third-party integrations could introduce external paths.

Answering to your 2nd question: Is it better to route all the outbound traffic in spokes for Azure services to Firewall or should it be allowed to directly go the services from spoke subnet itself without routing to Firewall (using User defined routes). If the traffic is routed to firewall, will it provide any security benefit?

It completely depends on your specific security needs and risk tolerance.

•  The Azure Firewall provides a single point for enforcing outbound network security rules, making management easier. For your reference: https://learn.microsoft.com/en-us/azure/app-service/network-secure-outbound-traffic-azure-firewall
• Azure Firewall can offer advanced threat intelligence and protection against malicious outbound connections. For your reference: https://azure.microsoft.com/en-in/products/azure-firewall#:~:text=Azure%20Firewall%20taps%20into%20real%2Dtime%20security%20signals%20from%20a%20wide%20range%20of%20sources%20using%20Microsoft%20threat%20intelligence%20to%20guard%20against%20evolving%20threats%20and%20zero%2Dday%20vulnerabilities.
• The Azure Firewall provides detailed logs of all outbound traffic for monitoring and analysis The Azure Firewall control outbound access based on fully qualified domain names (FQDNs), not just IP addresses. For your reference: https://learn.microsoft.com/en-us/azure/firewall/fqdn-tags#:~:text=You%20can%20use%20an%20FQDN%20tag%20in%20application%20rules%20to%20allow%20the%20required%20outbound%20network%20traffic%20through%20your%20firewall.

But there are few disadvantages for Azure Firewall:

• Adding a firewall hop can introduce latency, especially for high-volume traffic. Azure Firewall has associated costs, so factor that into your decision. For your reference: https://azure.microsoft.com/en-in/products/azure-firewall#:~:text=Azure%20Firewall%20pricing,based%20on%20traffic.
• Directly routing to Azure resources can improve performance by eliminating the firewall hop and You will need to manage NSG's on individual subnets, which can be less efficient but NSGs provide basic security rules but lack the advanced capabilities of Azure Firewall.

Benefits of using Azure Firewall:

• Azure Firewall uses threat intelligence feeds to identify and block known malicious IP addresses and domains. For your reference: https://learn.microsoft.com/en-us/azure/firewall/features#threat-intelligence
• It can actively analyze network traffic for suspicious patterns and block potential attacks. For your reference: https://azure.microsoft.com/en-in/products/azure-firewall#:~:text=It%20can%20detect%20attacks%20in%20all%20ports%20and%20protocols%20for%20non%2Dencrypted%20traffic.%20Encrypted%20traffic%20utilizes%20the%20TLS%20inspection%20capability%20for%20decryption.
• You can control outbound access to specific applications or websites. Firewall policies can help segment your network and restrict communication between different parts of your environment. For your reference: https://learn.microsoft.com/en-us/azure/firewall/deploy-firewall-basic-portal-policy

Kindly let us know if the above helps or you need further assistance on this issue.

Thanks,

Sai.